+++ /dev/null
-From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 27 Feb 2016 03:43:58 +0100
-Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
- docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
- source3/include/proto.h | 1 +
- source3/param/loadparm.c | 12 ++++++++++++
- 4 files changed, 39 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
-
-diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
-new file mode 100644
-index 0000000..1897fc6
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
-@@ -0,0 +1,23 @@
-+<samba:parameter name="client ipc signing"
-+ context="G"
-+ type="enum"
-+ enumlist="enum_smb_signing_vals"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
-+ connections as DCERPC transport inside of winbind. Possible values
-+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
-+ and <emphasis>disabled</emphasis>.
-+ </para>
-+
-+ <para>When set to auto, SMB signing is offered, but not enforced and if set
-+ to disabled, SMB signing is not offered either.</para>
-+
-+ <para>Connections from winbindd to Active Directory Domain Controllers
-+ always enforce signing.</para>
-+</description>
-+
-+<related>client signing</related>
-+
-+<value type="default">mandatory</value>
-+</samba:parameter>
-diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
-index c657e05..189a7ae 100644
---- a/docs-xml/smbdotconf/security/clientsigning.xml
-+++ b/docs-xml/smbdotconf/security/clientsigning.xml
-@@ -12,6 +12,9 @@
- <para>When set to auto, SMB signing is offered, but not enforced.
- When set to mandatory, SMB signing is required and if set
- to disabled, SMB signing is not offered either.
-+
-+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
-+ <smbconfoption name="client ipc signing"/> option.</para>
- </para>
- </description>
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 43008ea..af950aa 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-+int lp_client_ipc_signing(void);
- int lp_server_signing(void);
- int lp_client_ldap_sasl_wrapping(void);
- char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c5249b7..a612e5a3 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -366,6 +366,7 @@ struct global {
- int restrict_anonymous;
- int name_cache_timeout;
- int client_signing;
-+ int client_ipc_signing;
- int server_signing;
- int client_ldap_sasl_wrapping;
- int iUsershareMaxShares;
-@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
- .flags = FLAG_ADVANCED,
- },
- {
-+ .label = "client ipc signing",
-+ .type = P_ENUM,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.client_ipc_signing,
-+ .special = NULL,
-+ .enum_list = enum_smb_signing_vals,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
- .label = "server signing",
- .type = P_ENUM,
- .p_class = P_GLOBAL,
-@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
- Globals.bClientUseSpnego = True;
-
- Globals.client_signing = Auto;
-+ Globals.client_ipc_signing = Required;
- Globals.server_signing = False;
-
- Globals.bDeferSharingViolations = True;
-@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
- FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
- FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
- FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
-+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
- FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
- FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
-
---
-2.8.1
-
-
-From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 5 Apr 2016 10:46:53 +0200
-Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
- not an smb client
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/param/loadparm.c | 14 ++++++++++++++
- source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index a612e5a3..c58f860 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
- lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
- }
-
-+ if (!lp_is_in_client()) {
-+ switch (lp_client_ipc_signing()) {
-+ case Required:
-+ lp_set_cmdline("client signing", "mandatory");
-+ break;
-+ case Auto:
-+ lp_set_cmdline("client signing", "auto");
-+ break;
-+ case False:
-+ lp_set_cmdline("client signing", "disabled");
-+ break;
-+ }
-+ }
-+
- init_iconv();
-
- bAllowIncludeRegistry = true;
-diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-index 181a7b5..a0fcf27 100644
---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
-+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
- "", /* username */
- "", /* domain */
- "", /* password */
-- 0, lp_client_signing());
-+ 0, False);
-
- if ( !NT_STATUS_IS_OK( ret ) ) {
- DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
---
-2.8.1
-
-
-From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Thu, 31 Mar 2016 11:30:03 +0200
-Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
- sealed pipes"
-
-This will be used in the next commit to prevent mitm attacks on on lsa,
-samr and netlogon in winbindd.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++
- source3/include/proto.h | 1 +
- source3/param/loadparm.c | 12 ++++++++++++
- 3 files changed, 28 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-new file mode 100644
-index 0000000..016ac9b
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-@@ -0,0 +1,15 @@
-+<samba:parameter name="winbind sealed pipes"
-+ context="G"
-+ type="boolean"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether any requests from winbindd to domain controllers
-+ pipe will be sealed. Disabling sealing can be useful for debugging
-+ purposes.</para>
-+
-+ <para>The behavior can be controlled per netbios domain
-+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+</samba:parameter>
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index af950aa..ac1540f 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
- int lp_winbind_reconnect_delay(void);
- int lp_winbind_max_clients(void);
- const char **lp_winbind_nss_info(void);
-+bool lp_winbind_sealed_pipes(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c58f860..fdc9407 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -215,6 +215,7 @@ struct global {
- int winbind_expand_groups;
- bool bWinbindRefreshTickets;
- bool bWinbindOfflineLogon;
-+ bool bWinbindSealedPipes;
- bool bWinbindNormalizeNames;
- bool bWinbindRpcOnly;
- bool bCreateKrb5Conf;
-@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
- .flags = FLAG_ADVANCED,
- },
- {
-+ .label = "winbind sealed pipes",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.bWinbindSealedPipes,
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
- .label = "winbind normalize names",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
-@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
- Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
- Globals.bWinbindRefreshTickets = False;
- Globals.bWinbindOfflineLogon = False;
-+ Globals.bWinbindSealedPipes = True;
-
- Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
- Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
-@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
- FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
- FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
- FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
-+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
- FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
- FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
- FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
---
-2.8.1
-
-
-From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 5 Sep 2014 17:00:31 +1200
-Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
- connections by default
-
-The requirement is that we have "winbind sealed pipes = false" and
-"require strong key = false" before we make anonymous connections.
-These are a security risk as we cannot prevent MITM attacks.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
----
- source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++-
- 1 file changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 8271279..50a341e 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- TALLOC_FREE(conn->samr_pipe);
-
- anonymous:
-+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
-+ "without connection level security, "
-+ "must set 'winbind sealed pipes = false' "
-+ "to proceed: %s\n",
-+ domain->name, nt_errstr(status)));
-+ goto done;
-+ }
-
- /* Finally fall back to anonymous. */
- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
-@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-
- anonymous:
-
-+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+ result = NT_STATUS_DOWNGRADE_DETECTED;
-+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
-+ "without connection level security, "
-+ "must set 'winbind sealed pipes = false' "
-+ "to proceed: %s\n",
-+ domain->name, nt_errstr(result)));
-+ goto done;
-+ }
-+
- result = cli_rpc_pipe_open_noauth(conn->cli,
- &ndr_table_lsarpc.syntax_id,
- &conn->lsa_pipe);
-@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
-
- no_schannel:
- if ((lp_client_schannel() == False) ||
-- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+ result = NT_STATUS_DOWNGRADE_DETECTED;
-+ DEBUG(1, ("Unwilling to make connection to domain %s "
-+ "without connection level security, "
-+ "must set 'winbind sealed pipes = false' "
-+ "to proceed: %s\n",
-+ domain->name, nt_errstr(result)));
-+ TALLOC_FREE(netlogon_pipe);
-+ invalidate_cm_connection(conn);
-+ return result;
-+ }
- /*
- * NetSamLogonEx only works for schannel
- */
---
-2.8.1
-
projects / ipfire-2.x.git / blobdiff